xiaohongshu-mcp-integration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's tool call examples and workflow require the agent to accept and include session tokens (xsec_token/feed_id) verbatim in generated tool-call arguments (JSON/HTTP requests), which exposes secrets through the model's output and creates exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The presence of precompiled platform-specific binaries in the GitHub Releases of an unfamiliar/low‑visibility account (xpzouying) is a high-risk distribution vector for malware unless you can audit/build the source yourself; the git repo, example.com image, ara.so domain and localhost endpoint are not direct evidence of malware but do not mitigate the risk of running untrusted executables.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md shows the MCP server fetches public, user-generated Xiaohongshu content via tools like xhs_search, xhs_get_recommend_feeds, and xhs_get_note_detail (see "Content Discovery" and the "Common Patterns" sections), and explicitly uses that content to analyze posts and drive actions (publish, like, comment), so untrusted third-party content can materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill explicitly fetches and runs remote code at runtime (e.g., git clone https://github.com/xpzouying/xiaohongshu-mcp.git and downloading/releases from https://github.com/xpzouying/xiaohongshu-mcp/releases or docker pull xpzouying/xiaohongshu-mcp:latest), which are required external binaries/images that will be executed locally.